(LiveHacking.Com) – The Python development team have released Python 2.7.3 and 3.2.3 to fix Python’s hash based types to make them immune to denial of service attacks as disclosed at the Chaos Communication Congress event in December 2011. The flaw is industry-wide and affects many popular web technologies including PHP, ASP.NET, Java and Ruby.

The problem is that computer languages that use hash functions, including Python, are susceptible to collision attacks. To work effectively hash tables require a well-distributed hash function to spread data evenly across the table. The algorithmic complexity of inserting colliding elements into a table makes it possible to exhaust hours of CPU time and cause a denial of service situation. Python has two hash based types dict and set which have been changed to add randomization to the hashing of Python’s string types datetime.date, and datetime.datetime. This prevents an attacker from computing colliding keys of these types without access to the Python process.

According to the release announcement, “hash randomization causes the iteration order of dicts and sets to be unpredictable and differ across Python runs. Python has never guaranteed iteration order of keys in a dict or set, and applications are advised to never rely on it.”

The new versions of Pthyon also update the expat XML parsing library which had the same hash security issue. The hashing algorithm used in the expat library is now randomized.

The update also fixes some other security related bugs:

Issue 14001 / CVE-2012-0845 – A denial of service flaw was found in the way Simple XML-RPC Server module of Python processed client connections, that were closed prior the complete request body has been received. A remote attacker could use this flaw to cause Python Simple XML-RPC based server process to consume excessive amount of CPU.

The team also released Python 2.6.8 and Python 3.1.5 as security-fix source-only releases. 2.6 and 3.1 are now in security maintenance mode only with no new bug fix releases planned. The Python development intend to provide source-only security fixes for the Python 2.6 series until October 2013 (five years after the 2.6 final release) and for the Python 3.1 series until June 2014 (five years after the 2.6 final release).

(LiveHacking.Com) – Microsoft has released a “Critical” out-of-band update for .NET which fixes an elevation of privilege vulnerability in .NET across all supported versions of Windows. Microsoft’s prime reason for releasing the update was to address the newly disclosed denial-of-service vulnerability affecting a range of Web development languages including Microsoft’s ASP.NET, however the update also included fixes which were already committed to the code base.

Before details of the hash table collision denial-of-service vulnerability were released, Microsoft had planned to release a .NET security update addressing three vulnerabilities, one of which was a Critical elevation of privilege vulnerability. Once they received the notification about the elevation of privilege vulnerability the ASP.NET team fixed it and tested it ready for the next security update. Therefore the hash table collision update includes the already committed privilege elevation.

The elevation of privilege vulnerability, which was privately reported to Microsoft, is exploited when an unauthenticated attacker sends a specially crafted web request to the target site. If successful the attacker can take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands. However to exploit this vulnerability, an attacker must be able to register an account on the ASP.NET site, and must know an existing user name. The fix changes the way the .NET Framework handles specially crafted requests, and how the ASP.NET Framework authenticates users and handles cached content.

(LiveHacking.Com) – Security Researchers have exposed a flaw in the way the popular Web programming languages (like PHP, ASP.NET and Python) handle hash table collisions resulting in huge CPU usage and a subsequent denial of service. The discoveries were announced yesterday (Wednesday) at the Chaos Communication Congress event in Germany. The flaw is industry-wide and affects many popular web technologies including PHP, ASP.NET, Java, Python, Ruby, Apache Tomcat, Apache Geronimo, Jetty, and Glassfish, as well as Google’s open source JavaScript engine V8.

Although hash collision denial-of-service attacks have been discussed since 2003, Alexander Klink and Julian Wälde have now shown that many programming languages use hash tables while parsing POST forms to make them easily accessible by application developers. And so it is possible for an attacker to send a small number of specially crafted posts to a server, causing high CPU utilization and creating a denial of service condition.

“If the language does not provide a randomized hash function or the application server does not recognize attacks using multi-collisions, an attacker can degenerate the hash table by sending lots of colliding keys. The algorithmic complexity of inserting n elements into the table then goes to O(n**2), making it possible to exhaust hours of CPU time using a single HTTP request” write the pair in their advisory.

According to Microsoft’s security advisory this vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a web server, or even on a cluster of web servers. For ASP.NET in particular, a single specially crafted ~100kb HTTP request can consume 100% of one CPU core for between 90 – 110 seconds. Tthe .NET Framework is vulnerable from version 1.0 right through to version 4.0.

Microsoft are rating this out-of-band bulletin as “Critical” and it is likely it will will release updates for